Friday, March 05, 2010

Are We Forensically Ready to Face the Challenges of Cybercrimes?

The latest trends in cybercrimes mandates that we have to have at-least Minimum Mandatory Forensic Readiness Policy in place. The new measures should be designed to better manage information risk, protect personal information of citizens and minimise risk surrounding authorised access to protectively marked information.

But how exactly can we become 'Forensically Ready'? The term itself relates to the ability to forensically examine our data estate so that we know where all of our data resides, we know who has accessed, copied or moved individual files, and we are capable of conducting a forensic data audit in the event of a breach. This level of security can't be handled with simple intrusion detection tools. What's needed is a comprehensive cybersecurity platform to deliver the Privacy Impact Assessments.

A simple litmus test can help us to understand whether we are ready and able to face new challenges. Ask ourself these three simple questions:

• Do we know where all your data resides?

• In the event of a breach, can we prove that all the correct processes and procedures are in place?

• Does our agency/department fully understand and follow the elements of good data handling practices?

The ability to audit our data will enable us to track the flow of sensitive data within our organisation and ensure that only authorised movement occurs. For example, employees are going to move around an organisation internally. Are we able to assess whether they have taken data with them when they move? Are they authorised to do so? Is data where it is supposed to be or allowed to be? When unauthorised movement takes place, this can be flagged and corrective action can be taken.

Have we analysed out the financial price of non-compliance with data reporting requirements, e.g. increased legal fees related to the disclosure of an increased number of custodians? Investment in an effective data audit solution can reduce long term spending by eliminating the need for expensive third party consultants.

Are we able to manage the risk to our reputation if a data breach occurs on our watch? Public sector organisations handling data relating to the most vulnerable in society carry a burden of trust. Private sector organisations that suffer a data loss are likely to pay the price in loss of customers and a falling share price; public sector organisations may not suffer such tangible consequences directly, but the risk to their reputation and governance is as real.

Forensic Readiness – Five Key Guidelines

To have a robust Forensic Readiness Plan in place, organisations and departments need to be able to gather evidence on potential criminal activity or disputes legally and without causing disruption to day-to-day business.

This must also be done cost-effectively and in proportion to the incident - don't go spending crores of rupees of taxpayers' money on a simple data access request. On the other hand, don't scrimp on spending if it's a major criminal investigation. Some of the key elements of putting together a Forensic Readiness Plan are:

1. Define the business scenarios that require digital evidence. When is it appropriate to gather evidence and when is it not?

2. Identify sources of evidence and what sort of evidence it is. Make sure you have the resources to hand to look for it.

3. Know what you're looking for before you go and look for it. Don't gather too much or too little. Have a clear idea of what circumstances need to be in place to trigger a fuller investigation.

4. Establish security and storage rules for the handling of evidence. Keep an eye on the evidence once you have it – and make sure staff understand the consequences of not following these procedures.

5. Provide a documented a real-world example that everyone can run through in advance. Ensure that all parties, including legal, are confident that the processes in place are correct.

So there is a real challenge to forensic computing and cyberforensics and these branches are not yet fully developed. But by following the guidelines provided above we may reduce the danger to data protection and cyberevidnece/computer evidence to a greater extent.